Your agents move money, read your email and your data, and control physical devices. When bad actors want to take control, nothing stops them — and nothing proves it happened.
… and we extend coverage to whatever your audit requires.
Where the security lives
Same agent loop. Three runtimes. Only one is secured end to end.
Every agent runs the same four steps — Read → Think → Act → Report. What changes is the gates between the steps. Vanilla OpenClaw has none. NeMo Guardrails adds two text filters. enclawed gates every transition and anchors the whole loop on a tamper-evident audit log and a boot-time accreditor. Hover any block.
Not another guardrail — the only complete solution
Guardrails filter words. Prompt-injection firewalls scan inputs. Useful — but none of them gate the tools an agent calls, prove what it did in a record that can’t be edited, or ship the compliance evidence your auditor samples. As of today, enclawed-enclaved is the only product that does all of it.
Can it…
Vanilla runtime OpenClaw, LangChain
Content guardrails NeMo, Guardrails AI
Prompt firewalls Lakera, Rebuff
enclawed -enclaved
Block prompt injection across text, images & audio
Prove F1–F4 detection = 1.000, reproducible by you
✗
✗
✗
✓
✓ full · ~ partial / text channel only · ✗ none. Reflects each category’s documented default scope as of May 2026; individual products vary and evolve — corrections welcome at security@enclawed.com.
*FIPS-approved algorithms (AES-256-GCM, SHA-256, Ed25519, scrypt) executed by the host’s FIPS 140-3 validated module in approved mode — validation inherited from that module; no separate enclawed certificate required.
Same agents, same tools. enclawed checks every action before it happens and records it so it can’t be faked or erased. We measured it against the popular runtime, in‑vivo, through each one’s real command line.
Can it stop…
no record
a faked record
a silent failure
the wrong target
OpenClaw(popular runtime)
✗
✗
✗
✗
enclawed
✓
✓
✓
✓
Measured detection: OpenClaw caught 0.000; enclawed 1.000 — on a 1,600-sample baseline, holding at 80,000 samples and across 10 production LLMs.
Those four are closed by a single innovation — a biconditional correctness criterion that ties every action to the record. enclawed closes more than these four, with further innovations of its own — a covert-channel egress monitor, attested tool-server admission, and formal skill verification. The full body of work is in the research.
Don’t trust us — run it. Clone the open core and run the test yourself:
When it hit moltbook, ~180 AI agents spent 48 hours trying to poke holes in it. They couldn’t. See the research →
Coverage → compliance
What you can certify against, today
enclawed isn’t a single trick. Across the research it closes the structural failure modes and drives hidden exfiltration to zero — and, the part that actually gets you deployed, it ships the controls and the machine-readable evidence an assessor samples. Residuals are tracked in a signed POA&M, exactly as every framework expects.
Mapped to the standards
The frameworks you certify against, today
SOC 2, ISO 27001 — the controls and the evidence your assessor samples.
NIST 800-53 Rev 5 / 800-171, FedRAMP Moderate, CMMC L2 — the full NIST OSCAL set (CD + AR + SSP + POA&M), control-mapped.
HIPAA (45 CFR §164) — deny-by-default access, egress control, and a tamper-evident audit trail.
FIPS 140-3 — cryptography runs on the host’s validated module; deploy in approved mode and that validation is inherited (no separate enclawed certificate required).
enclawed ships the technical controls and the evidence; the certification is your organisation’s. Every residual is tracked in the signed POA&M — and when a new one surfaces, we measure it, close it, and publish.
Driven to zero · egress layer
Hidden exfiltration, measured out
Text carriers — zero-width & Unicode tricks, homoglyphs, whitespace, base64 blobs: residual capacity driven to zero.
Image carriers — LSB pixel steganography: zero; per-image mean luminance bounded to a measured cap.
Audio carriers — ultrasonic & sub-perceptual: zero; audible-band sonification bounded, exempted only for media signed at boot.
Multi-modal covert-channel egress reference monitor (arXiv:2605.20734). See the research →
Why it matters to you
Built to ship what otherwise can’t
Hardening an agent for a regulated or safety-critical deployment is not a quick config. Done from scratch it runs well past a quarter — and for the hardest targets it isn’t achievable at all. enclawed is the foundation that makes those deployments possible: getting here meant advancing the state of the art in AI cybersecurity, with 6+ research papers behind the structure. No magic timeline — just a system that turns “would never pass an audit” into one you can deploy and defend, with the evidence in the box.
For your security & compliance team
The certification layer your audit rides on
SOC 2, ISO 27001, FedRAMP, a HIPAA BAA, CMMC — those certify your organisation, not a library. enclawed-enclaved ships the technical controls and the machine-readable evidence your assessor samples, so the controls workstream stops being the thing that blocks (or sinks) the program. For cryptography, enclawed runs on the host’s FIPS 140-3 validated module — there is no enclawed-specific crypto module to certify.
FIPS 140-3 cryptography on the host’s validated module — every cryptographic operation uses FIPS-approved algorithms (AES-256-GCM, SHA-256, Ed25519, scrypt) executed by the host’s CMVP-validated provider in approved mode. Validation is inherited from that module; there is no separate enclawed module to certify.
Boot-time zero-trust accreditor — every extension is admitted only if its signed manifest matches the trust root; post-init tamper is blocked and audited.
Hash-chained tamper-evident audit log + multi-witness accreditation — the record can’t be rewritten without breaking the chain on the next verify.
Multi-modal covert-channel egress reference monitor — residual covert capacity driven to zero across text, image, and audio channels (paper: arXiv:2605.20734).
NIST OSCAL 1.2.2 submission set — Component Definition, Assessment Results, SSP starter, and POA&M — schema-validated, Ed25519-signed, hash-chain-audited every cycle, on a NIST 800-53 Rev 5 control mapping. Imports into your GRC stack; pairs with Vanta / Drata / Secureframe.
Continuous hardening, documented residual risk — F1–F4 are closed structurally; any newly surfaced failure mode is measured, fixed, and published, and every residual is tracked in the signed POA&M. We don’t claim zero gaps — we claim closed-or-tracked.
